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1.  Description  of  the  Scientific  Research  Goals 

The  principal  goal  of  this  project  is  to  apply  techniques  from  automated  deduc¬ 
tion  to  programs  in  real-world  and  robotic  planning  and  the  synthesis  of  imperative 
programs.  Expected  benefits  include  a  reduction  in  the  human  effort  required  to 
develop  complex  plans  and  programs,  a  reduction  in  the  error-rate  associated  with 
planning  and  programming,  and  an  increase  in  the  ease  of  modifying  existing  plans 
and  programs  to  accommodate  to  changes  in  purpose  and  environment.  _ 

2.  Background:  Deductive  Tableau 

For  many  years  SRI  has  been  working  (principally  under  ONR  and  NSF  sup¬ 
port)  on  the  automatic  synthesis  of  computer  programs.  We  have  developed  a 
deductive  approach  to  this  problem  [Manna  and  Waldinger  86A]  according  to  which 
programming  is  regarded  as  a  task  in  theorem  proving.  To  construct  a  program  that 
will  meet  a  given  specification,  one  proves  the  existence  of  an  output  that  satisfies 
the  specified  conditions.  The  proof  is  restricted  to  be  sufficiently  constructive  to 
indicate  a  computational  method  for  finding  such  an  output.  This  method  then 
becomes  the  basis  for  a  computer  program  that  is  extracted  from  the  proof. 

A  program  constructed  in  this  way  is  guaranteed  to  meet  its  specification  and 
requires  no  further  verification.  The  structure  of  such  a  program  will  reflect  the 
form  of  the  proof  from  which  it  has  been  extracted.  In  particular,  case  analysis 
in  the  proof  corresponds  to  a  conditional  test  in  the  program,  and  mathematical 
induction  in  the  proof  corresponds  to  a  recursive  construct  in  the  program. 

We  have  introduced  a  deductive-tableau  theorem-proving  framework  that  is  es¬ 
pecially  well  suited  to  the  program  synthesis  application.  This  framework  incorpo¬ 
rates  several  of  the  most  successful  techniques  in  automated  reasoning,  including 
nonclausal  resolution,  conditional  rewriting,  and  mathematical-induction  rules. 

The  deductive  approach  was  originally  developed  for  the  synthesis  of  applicative 
programs,  which  yield  an  output  but  alter  no  data  structures.  More  recently,  we 
have  extended  the  approach  to  the  synthesis  of  imperative  programs,  which  can  alter 
data  structures  as  part  of  their  intended  behavior.  This  extension  is  immediately 
applicable  to  problems  in  real-world  and  robotic  planning.  Plans  are  closely  anal¬ 
ogous  to  imperative  programs  in  that  actions  resemble  instructions,  tests  resemble 
conditionals,  and  the  world  model  may  be  regarded  as  a  data  structure. 
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3.  Progress 

A.  Fluent  Theory 

As  part  of  our  effort  to  extend  the  deductive  approach  to  imperative  program 
synthesis  and  planning,  we  have  introduced  a  new  fluent  theory ,  a  first-order  logical 
theory  in  which  operations  are  explicit  objects;  in  other  words,  variables  and  terms 
can  stand  for  operations  and  quantifiers  can  range  over  operations.  Here  opera¬ 
tions  include  instructions  (or  actions),  sequences  of  instructions,  and  conditional 
instructions.  To  construct  an  imperative  program  meeting  a  given  specification,  we 
prove  (within  fluent  theory)  the  existence  of  an  operation  satisfying  the  specified 
conditions.  Just  as  in  the  synthesis  of  applicative  programs,  an  imperative  program 
meeting  the  specified  conditions  is  then  extracted  from  the  proof. 

The  same  deductive-tableau  framework  that  we  have  used  for  the  synthesis  of 
applicative  programs  can  be  adapted  readily  to  the  synthesis  of  imperative  pro¬ 
grams  (and  plans).  Properties  of  the  world,  descriptions  of  the  instructions,  and 
specification  of  the  goal  are  all  expressible  as  sentences  in  fluent  theory.  As  in  the 
synthesis  of  applicative  programs,  conditional  programs  are  introduced  by  the  use 
of  case  analysis  in  the  proof,  and  recursive  programs  by  the  use  of  the  induction 
principle.  The  deductive  approach  contrasts  with  much  work  in  planning,  which 
avoids  the  problem  of  forming  conditional  and  recursive  plans. 

B.  Implementation  of  the  Deductive- Tableau  System 

In  the  past  few  months  we  have  been  engaged  in  the  implementation  of  a 
deductive-tableau  theorem  prover.  Although  out  intention  is  to  automate  as  much 
as  possible  of  the  programming  process,  this  first  implementation  is  interactive. 
The  system  displays  the  proof  so  far;  the  user  selects  the  next  rule  and  indicates 
how  it  is  to  be  applied;  the  system  applies  the  rule  and  (if  the  application  is  legal) 
displays  the  new  tableau.  When  the  proof  is  complete,  the  system  extracts  the 
corresponding  program  or  plan. 

The  system  is  intended  for  experimental  and  educational  purposes.  It  is  cur¬ 
rently  being  used  to  introduce  Stanford  University  students  to  the  deductive-tableau 
framework. 
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C.  Exposition 

For  the  past  several  years  Manna  and  Waldinger  have  been  engaged  in  an  in¬ 
troductory  exposition  of  those  aspects  of  logic  and  automated  deduction  that  are 
relevant  to  problems  in  program  synthesis  and  planning.  The  second  volume  of  this 
work,  The  Logical  Basts  for  Computer  Programming:  Deductive  Systems,  is  now 
near  completion  [Manna  and  Waldinger  89].  It  contains  a  good  introduction  to  the 
deductive-tableau  framework,  and  includes  descriptions  of  skolemization,  unifica¬ 
tion,  resolution,  and  well-founded  induction. 

D.  Database  Management 

The  problem  of  updating  a  database  has  much  in  common  with  imperative 
program  synthesis  and  planning,  and  we  have  had  some  success  in  applying  the 
deductive  approach  to  database  problems.  In  collaboration  with  a  Stanford  Ph.D. 
student  specializing  in  database  mangement,  we  have  extracted  database  update 
programs  from  fluent-theory  proofs.  This  work  is  reported  in  the  database  litera¬ 
ture  [Qian  and  Waldinger  88]. 

4.  Summary 

The  following  accomplishments  have  been  supported  by  ONR  Contract  N00014- 
84-C-0706: 

•  Development  of  a  fluent  theory  for  the  derivation  of  imperative  programs  and 
plans. 

•  Application  of  fluent  theory  to  planning. 

•  Extension  of  the  deductive-tableau  framework  to  produce  fluent-theory  proofs. 

•  Implementation  of  an  interactive  system  to  prove  theorems  within  the  deductive- 
tableau  framework. 

•  Completion  of  the  second  volume,  Deductive  Systems,  of  the  book  The  Logical 
Basis  for  Computer  Programming. 

•  Application  of  fluent  theory  to  the  derivation  of  programs  for  updating  databases. 
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5.  Publications 

A  paper  on  fluent  theory  and  its  application  to  imperative  program  synthesis, 
“The  Deductive  Synthesis  of  Imperative  LISP  Programs,”  was  presented  at  the 
1987  National  Conference  on  Artificial  Intelligence,  and  appeared  in  the  proceedings 
[Manna  and  Waldinger  87B).  A  description  of  the  application  of  fluent  theory  to 
planning  problems,  “How  to  Clear  a  Block:  A  Theory  of  Plans,”  was  presented  (in 
parts)  at  various  workshops  and  appears  in  the  Journal  of  Automated  Reasoning 
[Manna  and  Waldinger  87C].  A  reprint  is  attached. 

A  description  of  the  application  of  fluent  theory  to  database  management  [Qian 
and  Waldinger  88],  “A  Transaction  Logic  for  Database  Specification,”  appears  in 
the  proceedings  of  SIGMOD’88.  A  response  [Waldinger  87]  to  Drew  McDermott’s 
critique  on  deductive  methods,  “The  Bomb  in  the  Toilet,”  appears  in  Computational 
Intelligence.  A  basic  introduction  to  the  deductive-tableau  method  and  a  typical 
example  of  its  application,  “The  Origin  of  a  Binary-Search  Paradigm,”  [Manna  and 
Waldinger  87A]  appears  in  the  journal  Science  of  Computer  Programming.  The 
Logical  Basis  for  Computer  Programming,  Volume  II:  Deductive  Systems  [Manna 
and  Waldinger  89],  will  be  published  by  Addison- Wesley. 

6.  Future  Research 

Our  plans,  reflected  in  our  current  proposal  to  ONR,  include  the  following: 

•  Implementation  of  an  automatic  system  for  planning  and  imperative  program 
synthesis. 

•  Extension  of  the  approach  to  allow  the  synthesis  of  concurrent  plans  and 
programs. 

•  Extension  of  the  approach  to  take  into  account  the  efficiency  and  other  ratings 
of  quality  of  the  derived  plan  or  program. 
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“VAbstHMH,  Problems  incbmmonsense  and  robot  planning  are  approached  by  methods  adapted  from  program 
synthesis  research;  planning  is  regarded  as  an  application  of  automated  deduction.  To  support  this 
approach,  we  introduce  a  variant  of  situational  logic,  called  plan  theory,  in  which  plans  are  explicit  objects. 

A  machine-oriented  deductive-tableau  inference  system  is  adapted  to  plan  theory.  Equations  and 
equivalences  of  the  theory  are  built  into  a  unification  algorithm  for  the  system.  Frame  axioms  are  built  into 
the  resolution  rule. 

Special  attention  is  paid  to  the  derivation  of  conditional  and  recursive  plans  Inductive  proofs  of 
theorems  for  even  the  simplest  planning  problems,  such  as  clearing  a  block,  have  been  found  to  require 
challenging  generalizations.  1  - 


1.  Introduction 

For  many  years,  the  authors  have  been  working  on  program  synthesis,  the  automated 
derivation  of  a  computer  program  to  meet  a  given  specification.  We  have  settled  on 
a  deductive  approach  to  this  problem,  in  which  program  derivation  is  regarded  as  a 
task  in  theorem  proving  (Manna  and  Waldinger  [80],  [85a]).  To  construct  a  program, 
we  prove  a  theorem  that  establishes  the  existence  of  an  output  meeting  the  specified 
conditions.  The  proof  is  restricted  to  be  constructive,  in  that  it  must  describe  a 
computational  method  for  finding  the  output.  This  method  becomes  the  basis  for  the 
program  we  extract  from  the  proof. 

For  the  most  part,  we  have  focused  on  the  synthesis  of  applicative  programs,  which 
yield  an  output  but  produce  no  side  effects.  We  are  now  interested  in  adapting  our 
deductive  approach  to  the  synthesis  of  imperative  programs,  which  may  alter  data 
structures  or  produce  other  side  effects. 


This  research  was  supported  by  the  National  Science  Foundation  under  Grants  DCR-82- 14523  and 
DCR-85-12356.  by  the  Defense  Advanced  Research  Projects  Agency  under  Contract  N00039-84-C-02 1  I. 
by  the  United  States  Air  Force  Office  of  Scientific  Research  under  Contract  AFOSR-85-0383.  by  the  Office 
of  Naval  Research  under  Contract  N00014-84-C-07t)b.  by  United  States  Armv  Research  under  Contract 
DAJA-45-84-C-0040.  and  by  a  contract  from  the  international  Business  Machines  Corporation 

Preliminary  versions  of  parts  of  this  paper  were  presented  at  the  Eighth  International  Conference  on 
Automated  Deduction.  Oxford.  England.  July  1986,  and  the  Workshop  on  Planning  and  Reasoning  about 
Actions.  Timberline.  Oregon.  July  1986 
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Plans  are  closely  analogous  to  imperative  programs,  in  that  actions  may  be 
regarded  as  computer  instructions,  tests  as  conditional  branches,  and  the  world  as  a 
huge  data  structure.  This  analogy  suggests  that  techniques  for  the  synthesis  of 
imperative  programs  may  carry  over  into  the  planning  domain.  Conversely,  we  may 
anticipate  that  insights  we  develop  by  looking  at  a  relatively  simple  planning  domain, 
such  as  the  blocks  world,  would  then  carry  over  to  program  synthesis  in  a  more 
complex  domain,  involving  array  assignments,  destructive  list  operations,  and  other 
alterations  of  data  structures. 

Consider  the  problem  of  clearing  a  given  block,  where  we  are  not  told  whether  the 
block  is  already  clear  or,  if  not,  how  many  blocks  are  above  it.  Assume  that  we  are 
in  a  blocks  world  in  which  blocks  are  all  the  same  size,  so  that  only  one  block  can  fit 
directly  on  top  of  another,  and  in  which  the  robot  arm  may  lift  only  one  block  at  a 
time.  Then  we  might  expect  a  planning  system  to  produce  the  following  program: 


makeclear(a) 


(if  clear(a) 
then  A 

else  makeelear{hat(a )); 
(_  put)hat(a).  table). 


In  other  words,  to  clear  a  given  block  a  (the  argument),  first  determine  whether  it  is 
already  clear.  If  not.  clear  the  block  that  is  on  top  of  block  a.  and  then  put  that  block 
on  the  table.  Here  A  is  the  empty  sequence  of  instructions,  corresponding  to  no  action 
at  all.  and  hat(a)  is  the  block  directly  on  a ,  if  one  exists.  The  action  put{u.  v)  places 
the  block  u  on  top  of  the  object  v. 

Note  that  the  makeclear  program  requires  a  conditional  ( if-then-e/se )  and  a  recur¬ 
sive  call  to  makeclear  itself.  Planning  systems  have  often  attempted  to  avoid  con¬ 
structing  plans  using  these  constructs  by  dealing  with  completely  known  worlds.  Had 
we  known  exactly  how  many  blocks  were  to  be  on  top  of  block  a.  for  example,  we 
could  have  produced  a  plan  with  no  conditionals  and  no  recursion.  Once  we  begin  to 
deal  with  an  uncertain  environment,  we  are  forced  to  introduce  some  constructs  for 
testing  and  for  repetition. 

A  fundamental  difficulty  in  applying  a  theorem-proving  approach  to  plan  construc¬ 
tion  is  that  the  meaning  of  an  expression  in  a  plan  depends  on  the  situation,  whereas 
in  ordinary  logic  the  meaning  of  an  expression  does  not  change.  Thus,  the  block 
designated  by  hat(a)  or  the  truth-value  designated  by  clear(a)  may  change  from  one 
state  to  the  next.  The  traditional  approach  to  circumventing  this  difficulty  relies  on 
a  situational  logic ,  i.e.,  one  in  which  we  can  refer  explicitly  to  situations  or  states  of 
the  world. 


2.  The  Trouble  with  Situational  Logic 

In  this  section,  we  describe  conventional  situational  logic  and  point  out  some  of  its 
deficiencies  when  applied  to  planning.  These  deficiencies  motivate  the  introduction  of 
our  own  version  of  situational  logic,  called  ‘plan  theory'. 


HOW  TO  CLEAR  A  BLOCK  A  THEORY  OF  PLANS 
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2.1  CONVENTIONAL  SITUATIONAL  LOGIC 

Situational  logic  was  introduced  into  the  literature  of  computer  science  by  McCarthy 
[63].  A  variant  of  this  logic  was  incorporated  into  the  planning  system  QA3  (Green 
[69]).  In  the  QA3  logic,  function  and  predicate  symbols  whose  values  might  change 
were  given  state  arguments.  Thus,  rather  than  speaking  about  hat(x)  or  clear(x),  we 
introduce  the  situational  function  symbol  hat'(w,  x)  and  the  situational  predicate 
symbol  Clear) h\  .x),  each  of  which  is  given  an  explicit  state  argument  w;  for  example. 
hat‘(w.  x)  is  the  block  on  top  of  block  ,x  in  state  w.  Actions  are  represented  as 
functions  that  yield  states;  for  example.  put'(\\\  x,  v)  is  the  state  obtained  from  state 
w  by  putting  block  x  on  object  v. 

Facts  about  the  world  may  be  represented  as  axioms  in  situational  logic.  For 
example,  the  fact  that  the  hat  of  an  unclear  block  is  on  top  of  the  block  is  expressed 
by  the  axiom 

if  not  Clear{w.  ,x) 

then  On{ n.  hat’(w,  .v).  x). 

Actions  can  also  be  described  by  situational-logic  axioms.  For  example,  the  fact 
that  after  block  x  has  been  put  on  the  table,  block  x  is  indeed  on  the  table  is  expressed 
by  the  axiom 

if  Clear)  w,  ,x) 

then  On( put'(w,  x,  table),  x.  table). 

In  a  conventional  situational  logic,  such  as  the  QA3  logic  or  the  similar  logic  of  the 
system  PROW  (Waldinger  and  Lee  [69]),  to  construct  a  plan  that  will  meet  a  specified 
condition,  one  proves  the  existence  of  a  state  in  which  the  condition  is  true.  More 
precisely,  let  us  suppose  that  the  condition  is  of  the  form  i[s0.  a.  r].  where  s0  is  the 
initial  state,  a  the  argument  or  input  parameter,  and  r  the  final  state.  Then  the  theorem 
to  U  proved  is 

(Vs0)(Va)(3s)J[s„,  a.  :]. 

For  example,  the  plan  to  clear  a  block  is  constructed  by  proving  the  theorem 

(Vj„MVa)(3r) Clear):,  a). 

From  a  situational-logic  proof  of  this  theorem,  using  techniques  for  the  synthesis  of 
applicative  programs,  one  can  extract  the  program 

if  Clear) s0.  a) 
then 

else  let  .v,  be  makeclear  (s„.  hat  '(s„.  a))  in 
put'(s,.  hat  (s |.  a),  table). 

This  program  closely  resembles  the  makeclear  program  we  proposed  initially,  except 
that  it  invokes  situational  operators,  which  contain  explicit  state  arguments. 
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monkey 


Fig  I  The  Monkey,  the  Banana,  and  the  Bomb 


:  :  EXECUTABLE  AND  NONEXECUTABLE  PLANS 

It  would  seem  that,  by  regarding  plans  as  state-producing  functions,  we  can  treat  an 
imperative  program  as  a  special  kind  of  applicative  program  and  use  the  same 
synthesis  methods  for  both.  In  other  words,  we  can  perhaps  extract  programs  from 
situational-logic  proofs  and  regard  these  programs  as  pians.  Unfortunately,  there  are 
some  programs  we  can  extract  from  proofs  in  this  formulation  of  situational  logic  that 
cannot  be  regarded  as  plans. 

For  example,  consider  the  problem  illustrated  in  Figure  I  The  monkey  is  presented 
with  two  boxes  and  is  informed  that  one  box  contains  a  banana  and  the  other  a  bomb, 
but  he  is  not  told  which.  His  goal  is  to  get  the  banana,  but  if  he  goes  anywhere  near 
the  bomb  it  will  explode.  As  stated,  the  problem  should  have  no  solution.  However, 
if  we  formulate  the  problem  in  conventional  situational  logic,  we  can  prove  the 
appropriate  theorem. 

(V.rq)(3r)  Hasbananaiz). 

The  ‘program'  we  extract  from  one  proof  of  this  theorem  is 

{if  Hasbanana(goto'{s„.  a)) 
then  goto’(Sj.  a) 
else  goto'(sn.  b). 

According  to  this  plan,  the  monkey  should  ask  whether,  if  it  were  to  go  to  box  a. 
it  would  get  the  banana?  If  so.  it  should  go  to  box  a;  otherwise,  it  should  go  to  box 
b.  We  cannot  execute  this  ‘plan-  because  it  allows  the  monkey  to  consider  whether  a 
given  proposition  Hasbananu  is  true  in  a  hypothetical  state  goro'(s„.  a),  which  is 
different  from  the  current  state  r„. 

We  would  like  to  restrict  the  proofs  in  situational  logic  to  be  constructive,  in  the 
sense  that  the  programs  we  extract  should  correspond  to  executable  plans  This  kind 
of  consideration  has  influenced  the  design  of  our  version  of  situational  logic,  called 
plan  theory. 
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3.  Plan  Theory 

In  plan  theory  we  have  two  classes  of  expressions.  The  static  (or  situational )  expressions 
denote  particular  objects,  states,  and  truth-values.  For  example,  the  static  expressions 
hat'(s,  b ),  Clear(s,  b),  and  put'(s.  b.  c)  denote  a  particular  block,  truth-value,  and 
state,  respectively  (where  b  and  c  denote  blocks  and  s  denotes  a  state).  We  shall  also 
introduce  corresponding  fluent  terms,  which  will  not  denote  any  particular  object, 
truth-value,  or  state,  but  which  will  designate  such  elements  with  respect  to  a  given 
state.  For  example,  the  fluent  terms 

hat(d).  cleared),  and  put(d.  d) 

will  only  designate  a  block,  truth-value,  or  state,  respectively,  with  respect  to  a  given 
state  (where  d  and  d  are  themselves  fluent  terms  that  designate  blocks). 

Fluent  terms  themselves  do  not  refer  to  any  state  explicitly.  To  see  what  element 
a  fluent  term  e  designates  with  respect  to  a  given  state  s,  we  apply  a  linkage  operator 
to  s  and  e.  obtaining  a  static  expression.  We  use  one  of  three  linkage  operators. 

s.e.  s..e,  or  s.e. 

depending  on  whether  e  designates  an  object,  truth-value,  or  state,  respectively.  For 
example,  the  static  expressions 

s:hat(d).  s::clear(d).  and  s.putid.d ) 

will  indeed  denote  a  particular  block,  truth-value,  and  state,  respectively. 

While  we  shall  retain  static  expressions  as  specification  and  proof  constructs,  we 
shall  restrict  our  proofs  to  be  constructive  in  the  sense  that  the  programs  we  extract 
from  them  will  contain  no  static  expressions,  but  only  fluent  terms.  Because  fluent 
terms  do  not  refer  to  states  explicitly,  this  means  that  the  knowledge  of  the  agent  will 
be  restricted  to  the  tmpi  'it  current  state:  it  will  be  unable  to  tell  what.  say.  the  hat  of 
a  given  block  is  in  a  hypothetical  or  future  state.  In  this  way.  we  ensure  that  the 
programs  we  extract  may  be  executed  as  plans.  Nonplans,  such  as  the  getbanana 
'program'  mentioned  above,  will  be  excluded. 

Now  let  us  describe  plan  theory  in  more  detail. 

?  I  ELEMENTS  OF  PLAN  THEORY 

Plan  theory  is  a  theory  in  first-order  predicate  logic  that  admits  several  sorts  of  terms. 

•  The  statu  (situational )  terms,  or  s-terms.  denote  a  particular  element.  They 
include 

M  object  s-terms.  which  denote  an  object,  such  as  a  block  or  the  table. 

■  state  s-terms.  which  denote  a  slate. 

For  example,  hat  (s.  h)  is  an  object  s-ierm  and  put  (s.  h.  r)  is  a  state  s-term.  if  s  is  a 
state  s-term  and  h  and  r  are  object  s-terms. 
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•  The  static  ( situational )  sentences,  or  s-sentences.  denote  a  particular  truth- 
value. 

For  example,  Clearis,  b )  is  an  s-sentence,  if  s  is  a  state  s-term  and  b  an  object  s-term. 

•  The  fluent  terms,  or  /-terms,  only  designate  an  element  with  respect  to  a  given 
state.  They  include 

■  object  f-terms.  which  designate  an  object  with  respect  to  a  given  state. 

■  propositional  f-terms,  which  designate  a  truth-value  with  respect  to  a  given 
state. 

■  plan  f-terms,  which  designate  a  state  with  respect  to  a  given  state. 

For  example,  hand).  ciear(d).  and  pufld.  d)  are  object,  propositional,  and  plan 
f-ierms,  respectively.  The  plan  f-constant  A  denotes  the  empty  plan. 

Object  f-terms  denote  object  fluents,  propositional  f-terms  denote  propositional 
fluents,  and  plan  f-terms  denote  plans.  We  may  think  of  object  fluents,  propositional 
fluents,  and  plans  as  functions  mapping  states  into  objects,  truth-values,  and  states, 
respectively.  Syntactically,  however,  they  are  denoted  by  terms,  not  function  symbols. 
To  determine  what  elements  these  terms  designate  with  respect  to  a  given  state,  we 
invoke  the  in  function  the  in  relation  and  the  execution  function 

3  :  THE  m  FUNCTION  ’  ' 

If  .v  is  a  state  s-term  and  e  an  object  f-term. 

s :  e 

is  an  object  s-term  denoting  the  object  designated  by  e  in  state  s.  For  example. 
,5n :  hat{d)  denotes  the  object  designated  by  the  object  f-term  hat(d)  in  state  sn. 

In  general,  we  shall  introduce  object  f-function  symbols /(«,.  .  ...  u„)  and  object 
^-function  symbols  f  '(w.  x,.  .  .  .  x„)  together,  where /takes  object  fluents  u, ,  .  .  . 

u„  as  arguments  and  yields  an  object  fluent,  while  /'  takes  a  state  w  and  objects 
v,.  .  .  .  .v,  as  arguments  and  yields  an  object.  The  two  symbols  are  linked  in  each 

case  by  the  object  linkage  axiom 

w  :/(«,.  .  .  u,)  =  /  ( n.  m  m,.  .  ...  \e:u„)  ( object  linkage) 

(Implicitly,  variables  in  axioms  are  universally  quantified.  For  simplicity  we  omit  sort 
conditions  such  as  state) u )  from  the  axioms.) 

For  example,  corresponding  to  the  object  f-function  hat(u).  which  yields  a  block 
fluent,  we  have  an  object  s-function  hat' l h.  x).  which  yields  a  fixed  block.  The 
appropriate  instance  of  the  object  linkage  axiom  is 

m  :  hatiu)  -  hat  (it  ,  it  :  m). 

Thus  v  hat(d)  denotes  the  block  on  top  of  block  s :  d  in  state  .v.  (This  is  not  necessarily 
the  same  as  the  block  on  top  of  s  d  in  some  other  state  s  .) 
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3.3.  THE  in  RELATION 

The  in  relation  ::  is  analogous  to  the  in  function  : .  If  s  is  a  state  s-term  and  e  a 
propositional  f-term. 

s::e 

is  a  proposition  denoting  the  truth-value  designated  by  e  in  stale  s.  For  example, 
s0 ::  clear(d)  denotes  the  truth-value  designated  by  the  propositional  f-term  clear(d)  in 
state  s0. 

In  general,  we  shall  also  introduce  propositional  f-function  symbols  r(ut . u„) 

and  s-predicate  symbols  R(w.  .x, ,  .  .  .  ,  x„)  together,  with  the  convention  that  r  takes 

object  fluents  u, . u.,  as  arguments  and  yields  a  propositional  fluent,  while  R  takes 

a  state  w  and  objects  .x, ,  .  .  .  ,  .x„  as  arguments  and  yields  a  truth-value.  The  two 
symbols  are  linked  in  each  case  by  the  propositional-linkage  axiom 

w : :  r(u, . u„)  =  R( ve.  w :  u, . w :  u„ )  ( propositional  linkage) 

For  example,  corresponding  to  the  propositional  f-function  clear(u),  which  yields 
a  propositional  fluent,  we  have  an  actual  relation  Clear{w ,  ,x).  which  yields  a  truth- 
value.  The  instance  of  the  propositional-linkage  axiom  that  relates  them  is 

a  ::elear(u)  =  Clearin',  h  :u). 

Thus  5 ::  clear(d)  is  true  if  the  block  s:d  is  clear  in  state  s. 

3.4  THE  EXECUTION  FUNCTION  V 
If  5  is  a  state  s-term  and  p  a  plan  f-term, 
s;p 

is  a  state  s-term  denoting  the  state  obtained  by  executing  plan  p  in  state  s.  For  example. 
s  ,put(d.  d)  is  the  state  obtained  by  putting  block  d  on  object  d  in  state  5. 

In  general,  we  shall  introduce  plan  f-function  symbols  g(u, . u„ )  and  state 

s-function  symbols  g'(n\  .x, . xj  together,  where  g  takes  object  fluents  w, . 

as  arguments  and  yields  a  plan,  while  g'  takes  a  state  w  and  objects  .v, . ,x,  as 

arguments  and  yields  a  new  state.  The  two  symbols  are  linked  in  each  case  by  the  plan 
linkage  axiom 

w:g(K| . uj  =  g'(K.  w:u, . w:u„)  (plan  linkage) 

For  example,  corresponding  to  the  plan  f-function  put(u.  v).  which  takes  object 
fluents  u  and  v  as  arguments  and  produces  a  plan,  we  have  a  state  s-function 
put'{n\  x.  y),  which  takes  a  state  w  and  the  actual  objects  .x  and  y  as  arguments  and 
produces  a  new  state.  The  appropriate  instance  of  the  plan  linkage  axiom  is 

w.put(u.v)  =  put'(w.  ic  :  u,  w :  v). 
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The  empty  plan  A  is  taken  to  be  a  right  identity  under  the  execution  function;  that 
is, 

m  ;  A  =  w  (empty  plan) 

for  all  states  w. 

3.5.  RIGID  DESIGNATORS 

Certain  fluent  constants  (f-constants)  are  to  denote  the  same  object  regardless  of  the 
state.  For  example,  we  may  assume  that  the  constants  table  and  banana  always  denote 
the  same  objects.  In  this  case,  we  shall  identify  the  object  fluent  with  the  correspond¬ 
ing  fixed  object. 

An  object  f-constant  u  is  a  rigid  designator  if 

k ".u  —  u  (rigid  designator) 

for  all  states  w\ 

For  example,  the  fact  that  table  is  a  rigid  designator  is  expressed  by  the  axiom 
h  :  table  ~  table 

for  all  states  k\  In  the  derivation  of  a  plan,  we  shall  assume  that  our  argument  (or 
input  parameter)  a  is  a  rigid  designator.  On  the  other  hand,  some  f-constants.  such 
as  here ,  the-highest-block,  or  the-president ,  are  likely  not  to  be  rigid  designators. 

3  6  THE  COMPOSITION  FUNCTION 

We  introduce  a  notion  of  composing  plans. 

If  p |  and  p2  are  plan  f-terms.  p, ;;  p:  is  the  composition  of  p,  and  p:. 

Executing  p,  ,;p:  is  the  same  as  executing  first  p,  and  then  p;.  This  is  expressed  by  the 
plan  composition  axiom 

w;(p,  ;;p:)  =  (w;p, );p,  (plan  composition) 

for  all  states  *  and  plans  p,  and  p;.  Normally  we  shall  ignore  the  distinction  between 
the  composition  function  ;;  and  the  execution  function  ; .  writing ;  for  both  and  relying 
on  context  to  make  the  meaning  clear. 

Composition  is  assumed  to  be  associative;  that  is 

(P\  ;;P:);;p.i  =  p, ;;  ( p: ;;  p, )  (associativity) 

for  all  plans  p,.  p;,  and  p,.  For  this  reason,  we  may  write  p,  ;;p.;;p,  without 
parentheses. 

The  empty  plan  A  is  taken  to  be  the  identity  under  composition,  that  is. 

A  ;;p  =  p;:A  =  p  (identity) 

for  all  plans  p. 
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3.7.  SPECIFYING  FACTS  AND  ACTIONS 

As  in  conventional  situational  logic,  facts  about  the  world  may  be  expressed  as  plan 
theory  axioms.  For  example,  the  principal  property  of  the  hat  function  is  expressed 
by  the  hat  axiom 

if  not  Clear{w.  y) 

then  On{n\  hat‘( w.  y),  y)  (hat) 

for  all  states  w  and  blocks  y.  (As  usual,  for  simplicity,  we  omit  sort  conditions  such 
as  statein)  from  the  antecedent  of  the  axiom.)  In  other  words,  if  block  y  is  not  clear, 
its  hat  is  directly  on  top  of  it.  ( If  y  is  clear,  its  hat  is  a  ‘nonexistent’  object,  not  a  block.) 
It  follows,  if  we  take  y  to  be  w.v  and  apply  the  propositional  and  object  linkage 
axioms,  that 

if  not{n  ::  clear(v)) 
then  w ::  on(hat(v).  v ). 

for  all  states  w  and  block  fluents  v.  Other  axioms  are  necessary  for  expressing  other 
properties  of  the  hat  function. 

The  effects  of  actions  may  also  be  described  by  plan  theory  axioms.  For  example, 
the  primary  effect  of  putting  a  block  on  the  table  may  be  expressed  by  the  put-table-on 
axiom 

if  Clearin',  x) 

then  Oni  put  (n-.  x.  table),  x.  table)  ( put-table-on ) 

for  all  states  w  and  blocks  .x.  The  axiom  says  that  after  a  block  has  been  put  on  the 
table,  the  block  will  indeed  be  on  the  table,  provided  that  it  was  clear  beforehand. 
(The  effects  of  attempting  to  move  an  unclear  block  are  not  specified  and  are  therefore 
unpredictable.)  It  follows,  if  we  take  ,x  to  be  n  :u  and  apply  the  linkage  axioms  plus 
the  rigidity  of  the  designator  table,  that 

if  n- cleariu) 

then  On{n  :put{u.  table),  n  :u.  table 1 
for  all  states  a  and  block  fluents  u. 

Note  that,  in  the  consequent  of  the  above  property,  we  cannot  conclude  that 
(v \\putiu.  table)) ::  on(u.  table). 

that  is.  and  after  putting  u  on  the  table,  u  will  be  on  the  table.  This  is  because  u  is  a 
fluent  and  we  have  no  way  of  knowing  that  it  will  designate  the  same  block  in  state 
n  .putiu.  table)  that  it  did  in  state  w  .  For  example,  if  u  is  taken  to  be  hat{a),  the 
property  allows  us  to  conclude  that,  if  sn ::  clearihatia)).  then 

Onis„  :putihatia).  table).  s„  :hatia),  table). 

In  other  words,  the  block  that  was  on  block  a  initially  is  on  the  table  after  execution 
of  the  plan  step.  On  the  other  hand,  we  cannot  conclude  that 

(50  ;  putihatia).  table))  '.,  onihatia).  table). 
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that  is.  that  hat(a)  is  on  the  table  after  the  plan  step  has  been  executed.  In  fact,  in  this 
state,  a  is  clear  and  hat(a)  no  longer  designates  a  block. 

3  8  PLAN  FORMATION 

To  construct  a  plan  for  achieving  a  condition  a.  c],  where  s„  is  the  initial  state. 
a  the  input  object,  and  r  the  final  state,  we  prove  the  theorem 

(Vs0)(Va)(3;,)J[s0.  a.  j„;r,]. 

Here  r,  is  a  plan  variable.  In  other  words,  we  show,  for  any  initial  state  s„  and  input 
object  a.  the  existence  of  a  plan  c,  such  that,  if  we  are  in  state  j„  and  execute  plan  r, . 
we  obtain  a  state  in  which  the  specified  condition  J  is  true.  A  program  producing  the 
desired  plan  is  extracted  from  the  proof  of  this  theorem.  Informally,  we  often  speak 
of  this  program  as  a  plan  itself,  although  in  fact  it  computes  a  function  that  only 
produces  a  plan  when  it  is  applied  to  an  argument. 

Note  that,  in  the  QA3  version  of  situational  logic,  one  proves  instead  the  theorem 

(ViuMValOrl^Ev  a.  :}. 

The  phrasing  of  the  theorem  in  plan  theory  ensures  that  the  final  state  r  can  indeed 
be  obtained  from  •>„  by  the  execution  of  a  plan  r,.  For  example,  the  plan  for  clearing 
a  block  is  constructed  by  proving  the  theorem 

(V.s0)(Va)(3r,  )(C/ear(.v„ :  a)]. 

In  other  words,  the  block  a  is  to  be  clear  after  execution  of  the  desired  plan  r,  in  the 
initial  state  s0. 

In  the  balance  of  this  paper,  we  present  a  machine-oriented  deductive  system  for 
plan  theory  in  which  we  can  prove  such  theorems  and  derive  the  corresponding  plans 
at  the  same  time.  We  shall  use  the  proof  of  the  above  theorem,  together  with  the 
concomitant  derivation  of  the  makeclear  plan,  as  a  continuing  example. 

4.  The  Plan-Theory  Deductive  System 

To  support  the  synthesis  of  applicative  programs,  we  developed  a  deductive-tableau 
theorem-proving  system  (Manna  and  Waldinger  [80],  [85a]).  which  combines  non- 
clausal  resolution,  well-founded  induction,  and  conditional  term  rewriting  within  a 
single  framework.  In  this  paper,  we  carry  the  system  over  into  plan  theory  Although 
a  full  introduction  to  the  deductive-tableau  system  is  not  possible  here,  we  describe 
just  enough  to  make  this  paper  self-contained. 

4.1.  DEDUCTIVE  TABLEAUX 

The  fundamental  structure  of  the  system,  the  deductive  tableau .  is  a  set  of  rows,  each 
of  which  contains  a  plan  theory  sentence,  either  an  assertion  or  a  goal,  and  an 
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optional  term,  the  plan  entry.  We  can  assume  that  the  sentences  are  quantifier-free. 
Let  us  forget  about  the  plan  entry  for  a  moment. 

Under  a  given  interpretation,  a  tableau  is  true  whenever  the  following  condition 
holds: 

If  all  instances  of  each  of  the  assertions  are  true, 
then  some  instance  of  at  least  one  of  the  goals  is  true. 

Thus,  variables  in  assertions  have  tacit  universal  quantification,  while  variables  in 
goals  have  tacit  existential  quantification.  In  a  given  theory,  a  tableau  is  valid  if  it  is 
true  under  all  models  for  the  theory. 

To  prove  a  given  sentence  valid,  we  remove  its  quantifiers  (by  skoiemization)  and 
enter  it  as  the  initial  goal  in  a  tableau.  Any  other  valid  sentences  of  the  theory  that 
we  are  willing  to  assume  may  be  entered  into  the  tableau  as  assertions.  The  resulting 
tableau  is  valid  if  and  only  if  the  given  sentence  is  valid. 

The  deduction  rules  add  new  rows  to  the  tableau  without  altering  its  validity;  in 
particular,  if  the  new  tableau  is  valid,  so  is  the  original  tableau.  The  deductive  process 
continues  until  we  derive  as  a  goal  the  propositional  constant  true,  which  is  always 
true,  or  until  we  derive  as  an  assertion  the  propositional  constant  false,  which  is 
always  false.  The  tableau  is  then  automatically  valid;  hence  the  original  sentence  is 
too. 

In  deriving  a  plan  f(a).  we  prove  a  theorem  of  form 
(Vj0)(Va)(3c,)^[5n.  a.  s0 ; r, ]. 

In  skolemizing  this,  we  obtain  the  sentence 
j([V  a.  s0  --il- 

where  s„  and  a  are  skolem  constants  and  is  a  variable.  (Since  this  sentence  is  a 
theorem  or  goal  to  be  proved,  its  existentially  quantified  variables  remain  variables, 
while  its  universally  quantified  variables  become  skolem  constants  or  functions.  The 
intuition  is  that  we  are  free  to  choose  values  for  the  existentially  quantified  variables, 
whereas  the  values  for  the  universally  quantified  variables  are  imposed  on  us.  The 
situation  is  precisely  the  opposite  for  axioms  or  assertions.) 

To  prove  this  theorem,  we  establish  the  validity  of  the  initial  tableau 


assertions 

goals 

plan:  s„  ,f{a) 

I 

i[s„.  a.  s0 ;  C|] 

II 

•*0  *  - 1 

For  example,  the  initial  tableau  for  the  makeclear  derivation  is 


assertions 

goals 

plan: 

s0 ;  makeclear{a) 

1.  Clear(sn  ; .  a) 

Jn  '  - 1 
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Certain  valid  sentences  of  plan  theory,  such  as  the  axioms  for  blocks-world  actions, 
would  be  included  as  assertions. 

4.2.  PLAN  ENTRY 

Note  that  the  initial  tableau  includes  a  plan  entry  s0 ;  r, .  The  plan  entry  is  the 
mechanism  for  extracting  a  plan  from  a  proof  of  the  given  theorem.  Throughout  the 
derivation,  we  maintain  the  following  correctness  property: 

For  any  model  of  the  theory,  and  for  any  goal  [or  assertion]  in  the  tableau, 
if  some  instance  of  the  goal  is  true  [assertion  is  false], 
then  the  corresponding  instance  s0  ;  /  of  the  plan  entry  (if  any) 
will  satisfy  the  specified  condition  ^[r0,  a,  s0 :  t). 

In  other  words,  executing  the  plan  t  produces  a  state  sn ;  /  that  satisfies  the  specified 
condition.  The  initial  goal  already  satisfies  the  property  in  a  trivial  way,  since  it  is  the 
same  as  the  specified  condition.  Each  of  the  deduction  rules  of  our  system  preserves 
this  correctness  property,  as  well  as  the  validity  of  the  tableau. 

If  a  goal  [or  assertion]  has  no  plan  entry,  this  means  that  any  plan  will  satisfy  the 
specified  condition  if  some  instance  of  that  goal  is  true  [assertion  is  false].  In  other 
words,  we  do  not  care  what  happens  in  that  case. 

4.3.  BASIC  PROPERTIES 

It  may  be  evident  that  there  is  a  duality  between  assertions  and  goals;  namely,  in  a 
given  theory. 

a  tableau  that  contains  an  assertion  s/  is  valid 
if  and  only  if 

the  tableau  that  contains  instead  the  goal  (nor  -V).  with  the  same  plan  entry,  is 
valid. 

On  the  other  hand. 

a  tableau  that  contains  a  goal  '§  is  valid 
if  and  only  if 

the  tableau  that  contains  instead  the  assertion  (not  '-4),  with  the  same  plan  entry, 
is  valid. 

This  means  that  we  could  shift  all  the  goals  into  the  assertion  column  simply  by 
negating  them,  thereby  obtaining  a  refutation  procedure;  the  plan  entries  and  the 
correctness  properties  would  be  unchanged.  (This  is  done  in  conventional  resolution 
theorem-proving  systems.)  Or  we  could  shift  all  the  assertions  into  the  goal  column 
by  negating  them.  Nevertheless,  the  distinction  between  assertions  and  goals  has 
intuitive  significance,  so  we  retain  it  in  our  exposition. 

Two  other  properties  of  tableaux  are  useful.  First,  the  variables  of  any  row  in  the 
tableau  are  dummies  and  may  be  renamed  systematically  without  changing  the 
tableau's  validity  or  correctness.  Second,  we  may  add  to  a  tableau  any  instance  of  any 
of  its  rows,  preserving  the  validity  and  correctness. 
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4.4  PRIMITIVE  PLANS 

We  want  to  restrict  our  proofs  to  be  sufficiently  constructive  so  that  the  plans  we 
extract  can  be  executed.  For  this  purpose,  we  distinguish  between  primitive  symbols, 
which  we  know  how  to  execute,  and  nonprimitive  symbols,  which  we  do  not.  For 
example,  we  regard  the  function  symbols  :  and  hat'  and  the  predicate  symbols  ::  and 
Clear  as  nonprimitive,  because  we  do  not  want  to  admit  them  into  our  plans.  On  the 
other  hand,  we  regard  the  f-function  symbols  hat  and  clear  as  primitive. 

In  deriving  a  plan,  we  shall  maintain  the  primitivitv  property,  namely,  that  the  final 
segment  t  of  the  plan  entry  s0 ;  t  for  any  assertion  or  goal  of  the  tableau  shall  be 
composed  entirely  of  primitive  symbols.  Otherwise  the  new  row  is  discarded. 

4.5.  EXTRACTING  THE  PLAN 

As  we  have  mentioned,  the  deductive  process  continues  until  we  derive  either  the  final 
goal  true  or  the  final  assertion  false.  At  this  point,  the  proof  is  complete  and  we  may 
extract  the  plan 

f(a)  <=  r, 

where  s„  ;  /  is  the  plan  entry  associated  with  the  final  row. 

This  is  because  we  have  maintained  the  correctness  property  that  the  plan  entry  of 
any  goal  [or  assertion]  must  satisfy  the  specified  condition  ,i[s0.  a.  $„ :  r]  when  that 
goal  [or  assertion]  is  true  [or  false].  Since  the  truth  symbol  true  is  always  true  and  the 
truth  symbol  false  always  false,  the  plan  entry  s0 ;  t  will  always  satisfy  the  specified 
condition.  We  know  also  that  the  extracted  plan  will  be  executable,  because  we  have 
maintained  the  primitivity  property,  which  requires  that  the  plan  term  i  be  expressed 
exclusively  in  terms  of  primitive  symbols.  (Should  the  final  plan  still  contain  variables, 
these  may  be  replaced  by  any  primitive  terms.) 

In  the  next  section  we  begin  to  introduce  the  deduction  rules  of  our  system, 
emphasizing  those  that  need  to  be  adapted  for  plan  theory  or  that  play  a  major  role 
in  plan  derivations. 

5.  Formation  of  Conditionals 

The  resolution  rule  accounts  for  the  introduction  of  conditionals,  or  tests,  into  the 
derived  plan  and  also  is  important  for  ordinary  reasoning.  Because  a  special  adapta¬ 
tion  of  the  rule  is  necessary  to  form  conditionals  in  plan  theory  without  introducing 
the  nonprimitive  predicate  symbol ::  into  the  plan,  we  first  consider  applications  of  the 
rule  that  do  not  form  conditionals. 

5  1  THE  RESOLUTION  RULE  GROUND  VERSION 

We  begin  by  disregarding  the  plan  entries  and  considering  the  ground  version,  in 
which  there  are  no  variables.  We  describe  the  rule  in  a  tableau  notation. 
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assertions 

goals 

F[F] 

<S[F] 

F  [true]  or  $  [false] 

More  precisely,  if  our  tableau  contains  two  assertions.  .?[& ]  and  #(./].  which  share 
a  common  subsentence  we  may  replace  all  occurrences  of./  in  .?  [./]  with  true. 
replace  all  occurrences  of  ,/  in  #[/]  with  false,  take  the  disjunction  of  the  results,  and 
(after  propositional  simplification)  add  it  to  the  tableau  as  a  new  assertion. 

The  rationale  for  this  rule  is  as  follows.  We  suppose  that  J  [/]  and  '^(./]  are  true 
under  a  given  model,  and  show  that  (.?[true\  or  '$[ false])  is  then  also  true.  We 
distinguish  between  two  cases.  In  the  case  in  which  eP  is  true,  because  F  [/]  is  true, 
its  equivalent  F[ true ]  is  true.  On  the  other  hand,  in  the  case  in  which  /  is  false, 
because  '§[F\  is  true,  its  equivalent  '4 [  false]  is  true.  In  either  case,  the  disjunction 
(F[ true ]  or  '4[false])  is  true. 

Note  that  the  rule  is  asymmetric  in  its  treatment  of  ./[./]  and  'S[.F\.  In  fact,  it  can 
be  restricted  according  to  the  'polarity'  of  the  occurrences  of  /.  the  common  sub¬ 
sentence.  We  may  require  that  some  occurrence  of  ./  in  J\F]  be  of  negative  pulunn 
(i.e..  it  must  be  within  the  scope  of  an  odd  number  of  implicit  or  explicit  negations) 
and  that  some  occurrence  of  ./  in  '£[./]  be  of  positive  polarity  (i.e..  it  must  be  within 
the  scope  of  an  even  number  of  implicit  or  explicit  negations).  The  antecedent  of  an 
implication  is  considered  to  be  within  the  scope  of  an  implicit  negation.  Thus,  in 
applying  the  rule  between  two  assertions 

Ilf  P  then  (?)  and  (P  or  R). 

the  role  of  F  [./]  must  be  played  by  (if  P~  then  Q).  in  which  P  has  negative  polarity, 
and  the  role  of  '${<? J  by  ( P~  or  R).  in  which  P  has  positive  polarity,  yielding  the  new 
assertion 

(if  true  then  (Jt  or  ( Jaise  or  Ri. 

that  is.  after  propositional  simplification.  ( Q  or  R).  Reversing  the  roles  of  the  two 
assertions  yields  fire  trivial  assertion  true,  which  is  of  no  value  in  the  proof.  This 
strategy  has  been  shown  by  Murray  [82]  to  retain  completeness  for  first-order  logic. 

If  only  one  of  the  goals  has  a  plan  entry,  the  new  goal  is  given  the  same  pian  entry. 
(The  case  in  which  both  goals  have  plan  entries  requires  the  introduction  of  a 
conditional  plan  and  is  treated  separately.) 

We  have  applied  the  rule  between  two  assertions  but.  by  duality,  the  rule  can  just 
as  well  be  applied  between  two  goals  or  between  an  assertion  and  a  goal.  In  these 
cases,  a  new  goal  is  introduced,  which  is  a  conjunction  rather  than  a  disjunction  In 
applying  the  polarity  strategy,  each  goal  must  be  considered  to  be  within  the  scone 
of  an  implicit  negation 
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We  assume  that  all  the  sentences  in  a  tableau  are  subjected  to  full  propositional 
simplification.  Rules  such  as 

&  and  true  —  £ 
and  &  -*  & 
not  (not  &)  —  & 

are  applied  repeatedly  wherever  possible  before  an  assertion  or  goal  is  entered. 
Simplification  is  always  necessary  when  the  resolution  rule  is  applied. 

51  THE  RESOLUTION  RULE:  GENERAL  VERSION 

We  have  up  to  now  been  considering  the  ground  case,  in  which  the  sentences  have  no 
variables.  In  the  general  case,  the  rule  may  be  expressed  as  follows: 


— 

assertions 

goals 

W] 

jf9[true]  or  '§  d[false\ 

More  precisely,  let  us  suppose  that  our  tableau  contains  two  assertions  -r[J>]  and 
which  have  been  renamed  so  that  they  have  no  variables  in  common.  The 
subsentences  and  ,J?‘  are  not  necessarily  identical,  but  they  are  umfiable.  with  a 
most-general  unifier  0:  thus  Then  we  may  apply  9  to  &[.?)  and 

replace  all  occurrences  of  J8  in  {.?[c?])8  with  true,  replace  all  occurrences  of  j*'8  in 
('S  [.?'])$  with  false,  take  the  disjunction  of  the  results,  and  (after  propositional 
simplification)  add  it  to  our  tableau  as  a  new  assertion.  In  other  words,  after  applying 
the  most-general  unifier  6,  we  use  the  ground  version  of  the  rule.  If  exactly  one  of  the 
rows  has  a  plan  entry  t.  the  appropriate  instance  tO  of  that  entry  is  inherited  by  the 
new  row.  If  it  turns  out  that  td  contains  nonprimitive  symbols,  the  new  row  is 
discarded  to  maintain  the  primitivity  property. 

In  general,  there  may  be  several  unifiable  subsentences  y, ,  .y:.  .  .  .  in  J7  and 
several  unifiable  subsentences  .?[,  y;".  ...  in  'S.  The  substitution  9  must  then  be  a 
most-general  unifier  for  all  these  sentences. 


5.3  EQUATIONAL  UNIFICATION 

Typically  our  knowledge  of  the  world  is  represented  by  assertions  in  the  tableau.  It  is 
possible,  however,  to  build  certain  of  the  equations  and  equivalences  of  a  theory  into 
an  equational-unification  algorithm  (Fay  (79];  see  also  Hullot  [80].  Martelli  and  Rossi 
[86]).  so  they  need  not  be  included  among  the  assertions.  Properties  of  plan  theory  may 
be  represented  in  this  way.  including  the  linkage,  rigidity,  and  composition  axioms. 
For  example,  consider  the  sentences 

C/earis„  :r,.  a)  and  Clean  put  ( ir.  v.  table),  y). 
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Regarded  as  expressions  in  pure  first-order  logic,  these  sentences  are  not  umfiable. 
because  the  function  symbols  ;  and  put'  are  distinct.  Suppose  we  apply  the  substitution 

|  y  *-  a,  h •  «-  sn.  x  —  sn  u.  z,  <-  put)u.  table)]. 

Then  we  obtain  the  sentences 

Clear)sn . put)u.  table),  a)  and  Clear( put'(sn.  sn :  u.  table),  a). 
respectively.  These  are  distinct  sentences,  but  in  plan  theory  we  have 
Clear)sv  .put)u.  table),  a)  s  Clear)  put'(s„.  s„  :  u.  sn :  table),  a) 

(by  the  plan  linkage  axiom) 
s  Clear)  put')s„.  s„ :  u.  table),  a) 

(by  the  rigidity  of  the  designator  table). 

In  short,  by  applying  the  substitution  we  have  obtained  sentences  equivalent  in  plan 
theory.  This  substitution  is  returned  by  the  equational-unification  algorithm  We  shall 
say  that  the  two  sentences  have  been  unified  invoking  the  two  properties  cited. 

Most-general  equational  unifiers  are  not  unique.  For  example,  consider  the  sub¬ 
stitution 

!  y  —  a.  »  «-  ?n;r,,.v  —  (,v„  ;  r; ) :  u.  —  zz:put)u.  table)]. 

Applying  this  substitution  to  the  same  two  sentences,  we  obtain 
Clear)s 0  ;(c:  :put)u.  table)),  a) 

and 

Clear)  put')s„  :  z :.  )s„  :z:):  u.  table),  a). 
respectively.  But 

C/ear(sn  :(z:  :put)u.  table)),  a)  s  C/ear((sn  :z:)  :put)u.  table),  a) 

(by  the  plan  composition  axiom) 

3  Clear)  put’ )s„  :zz.  (j„  :z:):u.  (s„ :  r; ) :  table),  a  I 
(by  the  plan  linkage  axiom ) 

3  Clear)  put)sn  :  zz.  (s„  :z:):u.  table),  a  I 

(by  the  rigidity  of  the  designator  table). 

In  general,  the  equational-unification  algorithm  may  yield  an  infinite  stream  of 
most-general  unifiers.  We  obtain  a  different  resolvent  for  each  of  these  substitutions. 

5.4.  EXAMPLES 

Let  us  illustrate  the  resolution  rule  wuh  an  example  from  the  makeelear  derivation. 
Example  (re' oha tun).  Suppose  our  tableau  contains  the  initial  goal 


. 

assertions 

goals 

plan: 

j  v„  . makeelearta) 
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and  the  put-iahle-clear  axiom 


if  On(w,  x.  y)  and  Clear(w.x) 


then  Clear(put'{\\.  x.  table).  r) 


The  axiom  asserts  that,  after  a  block  has  been  put  on  the  table,  the  block  underneath 
it  is  clear. 

As  we  have  seen  above,  the  two  boxed  subsentences  are  equationally  unifiable  in 
the  blocks-world  theory.  One  of  the  most-general  unifiers  is 

|  y  —  a.  u  «-  s,,  :r;,  v  <-  :::):u.  <-  r;  :put(u.  tahle)\. 

The  polarity  of  the  boxed  subsentences  is  indicated  by  their  annotation  (The  goal  is 
negative  because  goals  are  within  the  scope  of  an  implicit  negation.)  Let  us  apply  the 
resolution  rule,  taking  //  and  to  be  the  boxed  subsentences  and  ft  to  be  the  above 
unifier.  Recall  that,  according  to  the  duality  property  ,  we  can  shift  the  assertion  into 
the  goal  column  by  negating  it.  We  obtain 


true 

and 

('  if  Onfs„  . (.v„  :  z: ) :  u.  a)  and 
Cleans „  ;r;.  (,v„ ; ) :  u) 
then  false 


v„  ;  r;  . put[ u.  table) 


which  simplifies  proposilionally  to 


2.  On{s„  : r; .  (s„  :z:)  u.  and 
Clean  s „  ;r  :.  (.v„  :  u) 


s„ :  :put(u.  ’able) 


In  other  words,  if  after  execution  of  some  plan  some  block  u  is  on  block  a  but  is 
itself  clear,  we  can  achieve  our  specified  condition  by  first  executing  plan  r:  and  then 
putting  block  u  on  the  table.  ■ 

To  present  another  step  of  the  makeeleur  derivation,  we  give  a  further  example  of 
branch-free  resolution. 

Example  ( resolution ).  The  boxed  subsentence  of  the  new  goal. 
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unities  equaiionally  with  the  boxed  subsentence  of  the  hat  axiom. 


if  not  Clear{\\.  y) 

then 

On(\c.  hat' l w.  y).  y) 

with  a  most-general  unifier 

|  v  «-  a.  u  *-  hat(a).  i»-  «-  .%  ;r:J. 

The  equational-umfication  algorithm  here  invokes  the  equalities 
(sa:::):hat(a)  =  hat'(sn ; (*„ : ;;) :  a). 
which  is  an  instance  of  the  object  linkage  axiom,  and 
Is., :  z: ) :  a  =  a. 

which  is  a  consequence  of  the  rigidity  of  the  input  parameter  a  Applying  Tie 
resolution  rule,  we  obtain  (after  propositional  simplification) 


3.  Clear(sn  :::.  {sn:::):hat(a))  and 

.»■„  ;  C;  : 

not  CleariSii ;  a) 

i  --  —  _ ! 

put(har(a).  table 1 

In  other  words,  if.  after  execution  of  ^ome  plan  step  r:.  the  block  a  is  not  clear 
the  block  hapa )  is.  we  can  achieve  our  specified  condition  by  first  executing  plan  : 
and  then  putting  hat(a)  on  the  table.  ■ 

5  5  RESOLUTION  WITH  CONDITIONAL  FORMATION 

In  applying  the  resolution  rule  between  two  rows,  both  of  which  have  plan  entries,  we 
must  generate  a  conditional  plan  entry.  If  we  applied  the  ordinary  resolution  rule  r 
such  a  case,  we  would  be  forced  to  introduce  tests  that  contain  the  predicate  symbol 
:: .  We  would  have  no  way  of  executing  the  resulting  nonpnmitive  plans.  To  a\oi  ’ 
introducing  nonprimitives  into  the  plan  entry,  we  employ  the  following  resolu'i- 
rule.  We  present  the  ground  version  of  the  rule  as  it  applies  to  two  goals: 


assertions 

goals 

plan  sa:  f{a) 

■  *[s::p] 

s.e, 

1 

T{s::p] 

s :  e: 

!dp  \ 

i 

[true]  and  .4 [  false j 

s  :  (  then  v  1 

\  else  «•;  1 

i 
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In  other  words,  suppose  our  tableau  contains  two  goals,  both  oi  which  reter  to  the 
truth  of  the  same  propositional  fluent  p  in  a  common  state  s.  Suppose  further  that  i 
is  an  initial  segment  of  the  plan  entries  for  each  of  the  two  goals.  Then  we  can 
introduce  the  same  new  goal  as  the  previous  branch-free  version  of  the  rule.  The  plan 
entry  associated  with  this  goal  has  as  its  initial  segment  the  common  state  s  of  the 
given  plan  entries.  Its  final  segment  is  a  conditional  whose  test  is  the  matching 
propositional  fluent  p  and  whose  /Ae«-clause  and  e/se-clause  are  the  final  segments  e , 
and  e..  respectively,  of  the  given  plans. 

The  rationale  for  this  plan  entry  is  as  follows.  We  suppose  that  the  new  goal 
(&{ true ]  and  <£[  false])  is  true  and  show  that  the  associated  plan  entry  satisfies  the 
specified  condition. 

We  distinguish  between  two  cases.  In  the  case  in  which  s  ::p  is  true,  because  the 
conjunct  cf[true]  is  true,  the  given  goal  &[s  ::p]  is  also  true,  and  hence  the  associated 
plan  entry  s ; e,  satisfies  the  specified  condition.  In  this  case,  the  conditional  plan 

5 ;  (if  p  then  e,  else  e: ) 

will  also  satisfy  the  condition  because,  when  executed  in  state  s.  the  result  of  the  test 
of  p  will  be  true. 

Similarly,  in  the  case  in  which  s::p  is  false,  the  given  goal  '.4[s:.p\  is  true,  the 
associated  plan  entry  s:e:  satisfies  the  specified  condition,  and  the  conditional  plan 
will  also  satisfy  the  condition.  Thus,  in  either  case  the  conditional  plan  satisfies  the 
specified  condition 

Of  course,  the  rule  applies  to  assertions  as  well  as  to  goals.  The  polarity  strategy 
may  be  imposed  as  before.  We  have  given  the  ground  version  of  the  rule:  in  the  general 
version,  in  which  the  rows  may  have  variables,  we  first  apply  a  most-general  unifier 
of  the  subsentences  s::p  and  s'  v.p .  after  renaming  as  necessary:  we  then  use  the 
ground  version  of  the  rule. 

We  illustrate  this  with  an  example. 

Example  (resolution  with  conditional  formation).  Suppose  our  tableau  contains  the  two 
goals 


goals 

. 

plan:  I 

s„ .  makeclear(a) 

Is.  clear(a) 

.Voir,  ;  A  j 

1 

- 1 

,v„ ;  A  .  niakeclear{hat{a)): 
putihai(a).  table) 

i 

not  (.s„  ;  A ) : :  clear) a) 

The  boxed  subsentences  are  unifiable.  with  a  most-general  unifier  —  AJ.  The 
unified  subsentences  both  refer  to  the  truth  of  the  same  propositional  fluent  clcaria I  in 
a  common  state,  the  state  v„  .  A  The  state  v„ .  A  is  an  initial  segment  for  the  plan  entries 
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of  each  of  the  given  goals.  Therefore  we  can  apply  the  resolution  rule  to  obtain  (after 
propositional  simplification) 


true 

/if  clear! a )  \ 

s  ■  A  •  I  lhen  A 

1 

1 

°’  'I  else  makeclear(hat(a)) : 

\  put(hat(a),  table )  / 

Using  equational  unification,  we  can  take  advantage  of  properties  of  plan  theory 
in  applying  the  resolution  rule.  For  instance,  we  could  apply  the  rule  in  this  example 
if  our  two  goals  were 

C/ear(sn  ;  r, .  a) 


and 


not(sn ::  clear!  a )) 

to  obtain  the  same  result.  (The  first  is  our  goal  1.)  This  could  be  the  final  step  of  a 
makeclear  derivation.  ■ 

Let  us  remark  that  we  could  formulate  a  resolution  rule  without  the  restriction  that 
the  common  state  be  an  initial  segment  of  the  plan  entries.  If  these  entries  were  s,  and 
s\.  the  plan  entry  for  the  derived  goal  could  be  taken  to  be 

if  s'.',  p  then  s\  else  s':. 

The  unrestricted  rule  does  preserve  the  validity  and  correctness  of  the  tableau 
However,  because  the  new  plan  entry  contains  the  nonpnmitive  symbol  the 
row  would  have  to  be  discarded  immediately.  This  is  why  we  are  forced  to  restrict 
the  rule. 

5  b  THEORY  RESOLUTION  RULE 

We  have  seen  that  we  can  build  equations  and  equivalences  of  a  theory  into  the 
resolution  rule  by  using  an  equational-umfication  algorithm.  Stickel  [85]  has 
introduced  a  further  extension  of  the  resolution  rule  that  enables  it  to  behave  as  if 
nonequational  properties  of  the  theory  were  built  in.  so  that  they  may  be  invoked  as 
required.  We  ntroduce  a  simplified  version  of  Shekel's  rule  here.  (The  actual  version 
is  more  general.) 

We  consider  the  ground  case  and  ignore  plan  entries  for  the  moment  Let  us 
suppose  that  [.■/.  J]  is  a  valid  sentence  of  the  theory.  Then  the  theory  resolution  rule, 
invoking  the  property  rt  [  /.  a?],  is  as  follows: 
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assertions 

goals 

.¥  [y] 

4  [A] 

not  Jtf  [false,  true]  and 
y  [true]  and 

4  [false] 

According  to  the  polarity  strategy,  we  may  assume  that  some  occurrence  of  y  is 
positive  in  W .  that  some  occurrence  of  A  is  negative  in  W .  that  some  occurrence  of 
y  in  y  is  negative  in  the  tableau,  and  that  some  occurrence  of  A  in  ‘4  is  positive  in 
the  tableau;  otherwise,  other  cases  of  the  rule  apply. 

The  soundness  of  the  rule  is  evident,  for  we  can  derive  an  equivalent  goal  by  two 
applications  of  the  ordinary  resolution  rule  if  we  introduce  the  valid  sentence 
JF  [y.  A]  as  an  assertion.  The  strategic  benefit  of  the  theory  resolution  rule  is  that,  if 
.W  is  built  into  the  rule,  it  is  invoked  only  when  needed,  while  if  it  is  represented  as 
an  assertion,  it  may  have  numerous  irrelevant  consequences. 

We  have  presented  the  rule  as  it  applies  to  two  goals.  By  duality,  the  rule  can  just 
as  well  be  applied  to  two  assertions  or  to  an  assertion  and  a  goal.  Also,  we  have 
presented  only  the  ground  version  of  the  rule.  To  apply  the  general  version,  we  first 
rename  so  that  the  given  rows  .y  and  '4  and  the  sentence  JF  will  have  no  variables 
in  common.  We  then  apply  a  most-general  unifier  9  that  allows  the  ground  version 
of  the  rule  to  be  applied  to  ./fl  and  '40.  invoking  0. 


Example  ( theory  resolution  rule).  Suppose  we  have  incorporated  into  the  theory 
resolution  rule  the  sentence 


if  Clear)  n.  v) 


IF:  then  if  l j  Redin',  v) 


then  )  Red)  put'jn  .  x.  table),  y)  j  . 


which  is  assumed  to  be  valid  in  our  theory,  tin  other  words,  a  red  object  will  remain 
red  after  a  block  has  been  put  on  the  table. ) 

Suppose  our  tableau  contains  the  rows 
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(In  other  words,  we  know  that  block  a  is  red  in  state  s0,  and  we  would  like  to  show 
that  a  is  still  red  after  block  b  has  been  put  on  the  table.) 

The  boxed  subsentences  of  these  rows  unify  with  the  correspondingly  boxed  sub¬ 
sentences  of  the  sentence  Jf .  The  unifying  substitution  is 

0 :  { y  «-  a,  x  «-  b.  w  «-  s0 }. 

Therefore  we  may  apply  the  theory  resolution  rule,  invoking  the  above  property  W . 
After  the  application  of  0.  the  singly  boxed  subsentences  play  the  role  of  A  while  the 
doubly  boxed  subsentences  play  the  role  of  d.  We  obtain 


(In  other  words,  it  suffices  to  show  that  block  b  is  clear  in  the  initial  state  v)  ■ 


The  treatment  of  the  plan  entries  is  analogous  to  that  for  the  ordinary  resolution 
rule.  If  both  given  rows  have  plan  entries,  the  rule  is  restricted  and  a  conditional  plan 
is  introduced.  We  assume  that  an  equational-unification  algorithm  is  employed.  Thus 
the  rule  may  also  invoke  built-in  equations  and  equivalences  of  the  theory  in  its  search 
for  a  unifying  substitution.  For  example.  *  above  could  be 

Redis, i  .ptttlh .  table),  a) 
if  b  and  table  are  rigid  designators. 

5.7.  THE.  FRAME  PROBLEM 

One  obstacle  to  employing  a  situational  logic  is  the  so-called  frame  problem  (see 
McCarthy  and  Hayes  [69],  Kowalski  [79]).  In  addition  to  specifying  what  relations  are 
changed  by  a  given  action,  it  is  also  necessary  to  provide  frame  axioms  that  state 
explicitly  what  relations  are  left  unchanged. 

For  instance,  we  have  provided  the  put-tabie-on  axiom,  which  states  that,  after  a 
block  has  been  put  on  the  table,  that  block  is  indeed  on  the  table.  This  may  be 
regarded  as  a  primary  axiom  for  the  action.  We  must  also  provide  an  associated 
put-iable-on  frame  axiom,  which  states  that  the  positions  of  other  blocks  remain 
unchanged  by  the  action,  namely, 

if  Clear) n.  x)  and  noti.x  =  y) 
then  if  Ort(\\ .  y.  y) 

then  On(pui '(»»-.  v,  table),  y.  y) 
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for  all  states  h\  blocks  x  and  y,  and  objects  y.  If  we  admit  other  relations  into  our 
theory,  we  must  provide  additional  frame  axioms  indicating  that  these  relations  are 
unchanged  by  the  action,  if  indeed  they  are.  For  example,  we  might  require  a  red 
frame  axiom 

if  Clear(w,  x) 
then  if  Red(w.  y) 

then  Red(put'(w,  x.  table),  y) 

(if  block  y  is  red  before  the  action,  it  is  red  afterwards)  and  so  forth. 

It  is  clear  that,  in  any  rich  theory,  a  large  number  of  axioms  must  be  introduced  to 
describe  each  action.  If  these  axioms  are  expressed  as  assertions  in  our  tableau,  the 
effect  on  the  search  space  could  be  disastrous.  For  instance,  suppose  our  goal  is 
actually  Red(sn ;  r,.  a),  to  make  block  a  red.  We  can  perfectly  well  apply  the  resolution 
rule  to  this  goal  and  the  above  red  frame  axiom,  obtaining  the  suggestion  that  putting 
some  block  .v  on  the  table  may  help  us  make  block  a  red.  provided  only  that  it  is  red 
beforehand. 

Aside  from  the  strategic  intrusiveness  of  the  frame  axioms,  it  seems  fundamentally 
wrong  for  a  formalism  to  force  us  to  spell  out  each  one  individually.  We  would  like  to 
be  able  to  give  only  the  primary  axioms  for  an  action,  and  then  say  that  all  other 
relations  remain  unchanged,  unless  a  change  is  implied  by  these  axioms.  Although  this 
approach  is  intuitively  clear,  the  technical  obstacles  to  pursuing  it  appear  formidable. 
One  possibility  is  to  apply  McCarthy's  circumscription  principle  (see  Lifschitz  [85])  or 
some  other  form  of  nonmonotonic"  reasoning. 

We  henceforth  assume  that  the  necessary  frame  axioms  have  been  constructed, 
perhaps  by  some  circumscription-like  mechanism.  Rather  than  introduce  these 
axioms  as  assertions  in  the  tableau,  let  us  allow  them  and  their  consequences  to  be 
invoked  by  the  theory  resolution  rule. 

Example  ( frame  axiom).  Suppose  we  have  developed  a  goat 

assertions  goals  plan 

On(sn  ;pul(a.  table),  b.  b)  ;put(a.  table) 


In  other  words,  we  know  that  block  b  is  on  object  f  initially  and  would  like  to  show 
that  it  is  still  on  b  after  block  a  is  put  on  the  table. 
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We  cannot  unify  these  sentences.  However,  the  sentences  do  unify  equationally  with 
the  correspondingly  boxed  subsentences  of  the  pui-table-on  frame  axiom 


if  Clearin',  x)  and  nor(x  =  y) 


then  if 

On(w,  y.  y) 

then 

On(  put'iw. 

x.  table),  y.  y) 

In  other  words,  if  block  y  is  on  object  y  in  a  given  state,  it  is  still  on  y  after  block  x 
has  been  put  on  the  table,  provided  that  block  x  is  clear  in  the  given  state  and  that 
blocks  x  and  y  are  distinct. 

The  unifying  substitution  is 

I }’  y  *-  b.  w  —  s0,  x  <-  a)  . 

The  equational-unification  algorithm  invokes  the  property 

jn  ;put(a.  table)  =  put'(s0.  J0  :a.  j0  .  table), 

which  is  an  instance  of  the  plan  linkage  axiom,  and  the  rigidity  of  the  designators  a 
and  table.  Therefore  we  may  apply  the  theory  resolution  rule,  invoking  the  put-table- 
on  frame  axiom,  to  get 


Clear{sn.  a)  and  notia  =  h) 


s0  :  puti a.  table) 


In  other  words,  it  suffices  to  show  that  block  a  is  clear  initially  and  that  blocks  a  and 
b  are  distinct.  ■ 


By  building  the  frame  axioms  and  their  consequences  into  the  theory  resolution  rule, 
we  have  avoided  the  explosion  of  the  search  space  that  results  if  they  are  introduced 
into  the  tableau  as  assertions. 


5  8  RESOLUTION  WITH  EQUALITY  MATCHING 

Sometimes  in  an  attempt  to  apply  the  resolution  rule,  two  subsentences  will  fail  to 
unify  completely  but  will  'nearly'  unify:  that  is.  all  but  certain  pairs  of  subterms  will 
unify.  In  such  cases,  instead  of  abandoning  the  attempt  altogether,  it  may  be  advan¬ 
tageous  to  go  ahead  and  apply  the  rule  but  impose  certain  conditions  upon  the 
conclusion.  This  is  the  effect  of  applying  the  resolution  rule  with  equality  matching. 
In  as  simplest  (ground I  version,  the  rule  may  be  expressed  as  follows: 


assertions 

goals  1 

s  =  t  and  F[true\  end  '4 [  false] 
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Here  #(s)  and  are  identical  except  that  certain  occurrences  of  s  in  J*(s)  are 
replaced  by  t  in  J>(  /).  If  they  were  completely  identical,  we  could  apply  the  ordinary 
resolution  rule  to  obtain  the  new  goal  (&[true]  and1# [false J).  Instead,  we  obtain  this 
goal  with  the  additional  conjunct  s  =  t.  The  treatment  of  the  plan  entry  is  analogous 
to  that  for  the  original  resolution  rule. 

Our  rule  is  a  nonclausal  version  of  the  E-resolution  rule  (Morris  [69J)  or  the 
RUE-resolution  rule  (Digricoli  and  Harrison  [86]).  In  Manna  and  Waldinger  [86],  we 
generalize  the  rule  to  allow  more  than  one  pair  of  mismatched  terms  and  to  employ 
reflexive  binary  relations  other  than  equality,  but  we  shall  not  require  these  extensions 
here. 

In  the  nonground  version,  in  which  the  sentences  may  contain  variables,  we  apply 
a  substitution  to  the  given  rows  and  then  apply  the  ground  version  of  the  rule  to  the 
results.  The  substitution  is  the  outcome  of  an  abortive  attempt  to  unify  the  subsen¬ 
tences.  We  shall  see  that,  for  a  given  pair  of  sentences,  the  substitution  we  employ  and 
the  pair  of  mismatched  subterms  we  obtain  are  not  necessarily  unique.  Some  of  the 
strategic  aspects  of  choosing  the  substitution  and  term  pair  are  discussed  by  Digricoli 
and  Harrison  [86]. 

Example  (resolution  with  equality  matching).  Suppose  our  tableau  contains  the  goal 


- 1 

Clear(sn ;  r:.  (s„ ;  r; ) :  hat(a))  | 

and  Q(:: ) 

put(hat(a),  table ) 

and  the  assertion 


if  R( 

IV.  u ) 

then 

Clear(w  :makeclear(u).  w  :u) 

The  two  boxed  subsentences  are  not  unifiable.  However,  if  we  apply  the  sub¬ 
stitution 

{ u  «-  hat(a).  w  —  j„  ;r:], 
we  obtain  the  sentences 

Clear) s0  .  r:.  U„ ;  r.) :  hat(a)) 
and 

Clear((s„ ;  ) :  makeclear(hat(a)).  (su :  hat(a)). 

Our  mismatched  terms  are  then 

s„:::  and  ( s„:::):makeclear(hat(a )). 
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The  conclusion  of  the  rule  is  then  (before  simplification) 


s0::2  =  (s0 \::)\makeclear(hat(a))  and 

) 

1 

true  and  Q{:2)  and 

S0  •  j 

net  (if  R(s0 ;  hat(a))  then  false) 

put(hat(a),  table ) 

On  the  other  hand,  if  we  apply  the  substitution 
{tv  *-  s0,  z2  makeclear(u)) . 
the  boxed  subsentences  become 

Clear(s0  ;  makeclear(u),  (s0  ;  makeclear(u)) :  hat(a)) 
and 

Clear(sQ  ,  makeclear{u),  sn :  u). 

Our  mismatched  terms  are  then 

( s0:makeclear(u)):hat(a )  and  sn :  u. 
and  the  conclusion  of  the  rule  (after  simplification  this  time)  is  then 

(s0:makeclear(u)):hat(a)  =  s„ :  u  . 

^  s0  •  make  clear) u ); 

eZkedearU, »  ond  H„.  „)  |  M 

■ 

In  applying  resolution  with  equality  matching,  we  have  altered  an  ordinary  unifica¬ 
tion  algorithm  to  return  mismatched  terms  instead  of  failing.  If  we  alter  instead  an 
equational-unification  algorithm,  we  can  invoke  properties  of  our  plan  theory  in  our 
search  for  near-unifiers. 

6.  Formation  of  Recursion 

The  mathematical-induction  rule  accounts  for  the  introduction  of  the  basic  repetitive 
construct  -  recursion  -  into  the  plan  being  derived.  We  employ  well-founded  induc¬ 
tion.  i.e.,  induction  over  a  well-founded  relation;  this  is  a  single,  very  general  rule  that 
applies  to  many  subject  domains. 

t. ;  MATHEMATICAL- INDUCTION  RULE 

A  well-founded  relation  <,  is  one  that  admits  no  infinite  decreasing  sequences,  re¬ 
sequences  ,V|.  x;.  .v,.  .  .  .  such  that 

.V,  >,  ,x:  and  x:  >,  x,  and  .... 
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For  instance  the  less-than  relation  <  is  well-founded  in  the  theory  of  nonnegative 
integers  but  not  in  the  theory  of  real  numbers.  A  well-founded  relation  need  not  be 
transitive. 

The  instance  of  the  well-founded  induction  rule  we  require  can  be  expressed  as 
follows  (the  general  rule  is  notationally  more  complex): 

Suppose  that  our  initial  tableau  is 

|  assertions  |  goals  plan:  s„  :f(a) 

j)[s0.  a.  sn  ; sn  ; : 

In  other  words,  we  are  trying  to  construct  a  program / that,  for  a  given  input  a.  yields 
a  plan  f(a)  =  r,  satisfying  our  condition  J[i0.  a.  j0 ;  c,].  According  to  the  well- 
founded  induction  rule,  we  may  prove  this  under  the  induction  hypothesis  that,  for 
a  given  state  w  and  input  u.  the  program / will  yield  a  plan / (u)  satisfying  the  condition 
d [iv.  w  :u.  «  ;  /(«)],  provided  that  the  input  w:u  is  less  than  the  original  input  s„ :  a. 
that  is,  a,  with  respect  to  some  well-founded  relation.  More  precisely,  we  may  add  to 
our  tableau,  as  a  new  assertion,  the  induction  hypothesis 

if  <>*•,  vv  :  u >  <,  (sn.  a) 
then  ^[m  ,  iv  :  u,  w ;/(«)] 

Here  >v  and  u  are  both  variables,  and  <,  is  actually  a  well-founded  relation  on  pairs 
of  states  and  objects.  The  relation  ■<,  is  arbitrary:  its  selection  may  be  deferred  until 
later  in  the  proof. 

Example  (well-founded  induction).  The  initial  tableau  in  the  makeclear  derivation  is 

assertions  goals  plan: 

s„ ;  makeclear(a) 

1.  Clear(sn  ;r,.  a)  ,v0  ;r. 

By  application  of  the  well-founded  induction  rule,  we  may  add  to  our  tableau  the  new 
assertion 

if  <  iv,  w  :u>  <,  <sn.  a>  ! 

then  C/ear(w ;  makeclear(u).  w:u)  | 

_ | _  1 

In  other  words,  we  may  assume  inductively  that  the  makeclear  program  will  yield  a 
plan  makeclear(u)  that  satisfies  the  specified  condition  for  any  input  u  in  any  state  »  . 
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provided  that  the  state-block  pair  <  w,  w.u >  is  less  than  the  pair  <s0.  a>  with  respect 
to  some  well-founded  relation  ■ 

Use  of  the  induction  hypothesis  in  the  proof  may  account  for  the  introduction  of  a 
recursive  call  into  the  derived  program. 

Example  ( formation  of  recursive  calls).  In  the  makeclear  derivation,  we  have  obtained 
the  goal 


3. 

Clear(s (s0 ; r;) : hat(a)) 

and 

sn::2: 

not  Clearisn  :c;.  a) 

put!  had  a),  table) 

The  boxed  subsentence  'nearly'  unifies  with  the  boxed  subsentence  of  our  induction 
hypothesis. 


if  <«• 

.  u  :u>  <.v„.  a) 

] 

then 

Clear ( u  ;  makeclear(u).  w :  u ) 

If  we  take  the  substitution  to  be 
I u  <-  s„.  ::  «-  makeclear{u)\ . 
the  mismatched  subterms  are 

(stt:makedcar)u))  har(a)  and  s„ :  u. 
We  obtain  the  new  goal 


4.  (,tn  ;  makeclear(u)) :  hat(a)  =  ,vn  :  u  and 
not  C!ear{sn :  makeclear(u).  a)  and 
V"/'  S,  u; 


sn  :  makecleariu) : 
puHhat(a).  table) 


Other  substitutions  are  possible,  resulting  in  other  new  goals.  ■ 

Note  that,  at  this  stage  of  the  derivation,  a  recursive  call  makeclear) u )  has  been 
introduced  into  the  plan  entrv  for  the  new  goal  4.  The  condition  <.r„.  s„:u'}  <, 
\ .  a)  in  the  goal  ensures  that  this  recursive  call  will  not  contribute  to  nontermina- 
tion.  Any  nonterminating  computation  involves  an  infinite  sequence  of  nested  recur¬ 
sive  calls  makeclear(a).  makeclear(u).  makedear(u) . From  any  such  sequence 

we  can  construct  an  infinite  decreasing  sequence  of  pairs  s.vn.u>.  <  v„  u  \ 
<.s„.  sn  :  u  > . which  is  contrary  to  the  well-foundedness  of 
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6.2.  THE  CHOICE  OF  A  WELL-FOUNDED  RELATION 

Although  the  well-founded  induction  principle  is  the  same  from  one  theory  to  the 
next,  each  theory  has  its  own  well-founded  relations.  We  actually  take  well-founded 
relations  to  be  objects  in  each  theory  and  regard  the  expression  x  <,  y  as  a  notation 
for  a  three-place  relation  -<(x.  x.  y).  where  a  is  a  variable  that  ranges  over  well-founded 
relations. 

For  the  blocks-world  theory,  one  relation  of  particular  importance  is  the  on 
relation,  which  holds  if  one  block  is  directly  on  top  of  another.  In  a  given  state,  this 
relation  is  well-founded  because  we  assume  that  towers  of  blocks  cannot  be  infinite. 
More  precisely,  for  each  state  w,  we  define  the  well-founded  relation  by  the 
following  on-relaiion  axiom: 

x  y  =  On( u.  x.  y)  (on  relation ) 

(Note  that  for  each  state  h  we  obtain  a  different  relation  This  relation  has  the 

hat  property 


(*)  if  not(w  ::  clear(v)) 

then  w.hat(v)  h  .v. 

The  on  relation  applies  to  blocks,  but  the  desired  relation  in  goal  4  applies 
to  state-block  pairs.  However,  for  any  well-founded  relation  there  exists  a 
corresponding  well-founded  second-projection  relation  on  pairs,  defined  by  the 

following  second-projection  axiom: 


<  -Y,  .  <  v,  .  V;  >  s  X;  <„  V; 


(second  projection) 


In  other  words,  two  pairs  are  related  by  the  second-projection  relation  -< if  their 
second  components  are  related  by  <f.  As  usual  we  omit  the  sort  conditions,  but  here 
P  is  a  variable  that  ranges  over  well-founded  relations.  (Of  course,  there  is  a  first- 
projection  axiom  also,  but  the  second  projection  is  the  one  we  shall  use.) 

By  applying  rules  of  the  system  to  the  above  properties,  we  may  reduce  our  most 
recent  goal 


4.  (,s„  :  tnakeclear(u)) :  hall  a)  =  s„:u  and 
not  Cleans,, .  niu^edear(u).  a)  and 

<.v„.  s„ :  w)  ' sn,  a  > 


.v,i :  makerJear(u): 
puphat(a).  table) 


to  obtain,  by  the  second-projection  axiom,  taking  x  to  be  n:(fi). 


5.  ,s„  :  makecteariu))  :  hat(a)  =  s„  :u  and 

s„  :  makeclear(u): 

not  Clear(sn  ;  makecleariu),  a)  and 

putt  hart  a),  table) 

s, i  :u  a 
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and  then,  by  the  above  hat  property  (*),  taking  (i  to  be  on,r 


- 1 

6.  (s0  ;  makeclear(hat(a ))) :  hat(a) 

=  s0 :  hat(a)  and 

s0  ;  makeclear{haha)Y. 

not  Clear{s0  ;makeclear{hat{a)),  a)  and 
not  (s0 clear(a)) 

putlhaHa).  table )  j 

Through  these  steps,  the  well-founded  relation  -<,  on  state-block  pairs  is  chosen  to 
be  ,,  the  second  projection  of  the  on  relation  in  the  initial  state 

At  this  stage,  we  have  completed  the  derivation  of  the  entire  e/se-branch  of  the 
makeclear  program. 

6.3.  THE  NEED  FOR  GENERALIZATION 

One  might  believe  that  the  derivation  is  nearly  complete;  all  that  remains  is  to  dispense 
with  the  first  two  conjuncts  of  our  goal  6. 

(  +  )  (s„  :makeclear{hat(d)))  :  hat(a)  =  s„  :  hat(d) 

and 

CJ)  not  Clear{sn:makeclear{hat(a)).  a). 

(The  third  conjunct,  nods,,  \:clear(a)).  will  then  be  eliminated  by  resolution  with  the 
initial  goal  I.  resulting  in  the  introduction  of  the  conditional  construct  into  the  final 
plan.)  In  fact,  closer  examination  of  the  above  two  conditions  indicates  that  they  are 
not  so  straightforward. 

The  first  condition  (+)  requires  that,  after  hat(a)  has  been  cleared,  the  value  of  Iwna) 
should  be  the  same  as  it  was  before.  In  other  words,  we  must  show  that  the  makeclear 
program  we  are  constructing  will  not  move  hat(a)  in  the  process  of  clearing  it.  In  fact, 
the  program  does  not  move  hat(a).  but  nothing  in  its  specification  forces  it  to  be  so 
well-behaved.  If  makeclear  were  trying  to  be  economical  with  table  space,  it  might 
clear  luma)  by  putting  underneath  it  all  the  blocks  that  were  previously  on  top  of  it. 
as  illustrated  in  Figure  2. 


Fig  ; 
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Here  a  hypothetical  makeclear  program  has  cleared  haHa).  that  is.  h.  by  putting  c 
and  d  underneath  b.  The  subsequent  value  of  haHa)  is  d.  not  h.  which  is  contrary  to 
the  condition.  An  attempt  to  put  haHa)  on  the  table  will  then  lead  to  unpredictable 
results  because  d  is  not  clear. 

The  second  condition  (J)  of  the  goal  requires  that,  in  the  process  of  clearing  haHa). 
we  do  not  inadvertently  clear  a.  Again  the  program  we  are  constructing  will  not  do 
this,  but  there  is  nothing  in  the  specification  that  prevents  an  over  ambitious  make- 
clear  program  from  clearing  a  or  any  other  block  when  it  was  asked  only  to  clear 
hat(a).  as  illustrated  in  Figure  3.  Attempting  to  move  haHa)  will  then  lead  to  un¬ 
predictable  results  because  haHa)  is  not  a  block. 


s0  Sq  ;  makeclearthatlai ) 


Fig  3 

The  only  knowledge  we  have  about  makeclear  is  that  given  in  our  induction 
hypothesis,  which  depends  in  turn  on  what  is  required  by  our  specification.  We  have 
not  specified  what  makeclear(a)  does  to  blocks  underneath  its  input  parameter  a  or 
elsewhere  on  the  table.  Thus  it  is  actually  impossible  to  prove  the  two  conditions. 

In  proving  a  given  theorem  by  induction,  it  is  often  necessary  to  prove  a  stronger, 
more  general  theorem,  so  as  to  have  the  benefit  of  a  stronger  induction  hypothesis 
Such  strengthening  is  mentioned  by  Polya  [57]  isee  also  Manna  and  Waldinger  [85b]) 
and  is  done  automatically  by  the  system  of  Boyer  and  Moore  [79],  Bv  analogy,  in 
constructing  a  program  to  meet  a  given  specification,  it  is  often  necessary  to  impose 
a  stronger  specification,  so  as  to  have  the  benefit  of  more  powerful  recursive  calls 

This  turns  out  to  be  the  case  with  the  makeclear  problem:  the  program  must  be 
constructed  to  meet  not  the  given  specification,  but  the  following  stronger  one: 

.v„  ;  .  a)  and 

if  Over{sn.  a.  g) 
then  nor  CIearixn  ;  r, . g)  and 

hat  (.v„  g)  =  hat  g) 

(Here  Overt  w.  v.  r)  holds  if  block  r  is  directly  or  indirectly  supported  by  object  v  in 
state  n.)  In  other  words,  in  clearing  block  a.  we  do  not  clear  any  block  g  that  is 
underneath  a.  nor  do  we  charge  the  hat  ot  any  such  block  g.  In  short,  the  relative 
positions  of  all  the  blocks  underneath  a  remain  unchanged.  This  theorem  gives  us  an 
induction  hypothesis  strong  enough  to  show  that,  in  clearing  haHa).  or  haHhaHa)).  or 
haHhaHhaHa))).  or  ....  we  do  not  move  haHa)  itself.  The  induction  hypothesis  is  also 
strong  enough  to  enable  us  to  prove  the  new  condition  in  the  theorem. 
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With  human  intuition,  it  may  not  be  difficult  to  formulate  such  strengthened 
theorems.  But  the  strengthening  required  by  this  problem  seems  to  be  beyond  the 
capabilities  of  the  Boyer-Moore  system  or  other  current  theorem  provers. 

Although  we  do  not  know  exactly  how  the  condition  could  be  strengthened 
automatically,  let  us  suppose  that  it  can  be  done.  In  this  case,  we  must  edit'  the 
derivation  by  adding  the  new  condition  as  a  conjunct  in  the  initial  goal,  to  obtain 


goals 

plan:  [ 

sn :  makeclear(a)  j 

1*. 

C!ear(sn  a) 

if  Over(sn.  a.  g' 
then  not  Clear), 
and  hat'is, 
=  ha 

and 

rn;r,.g(  r, )) 

)) 

r'(s„.  £'(;,)) 

•*n  :  - 1  ■ 

Here  g'(r,)  is  a  skolem  function  obtained  by  removing  the  quantifier  (Vg)  from  the 
given  goal.  In  presenting  the  derivation,  we  shall  drop  the  argument  of  this  function 
and  write  g  throughout. 

We  attempt  to  mimic  the  original  derivation,  applying  the  same  sequence  of  rules 
to  the  altered  goals. 

For  example,  in  the  original  derivation  we  applied  the  resolution  rule  to  goal  I  and 
the  put-table-clear  axiom 


|  if  On( u.  .v,  r)  and  Clearin',  x) 

|  then  .  Clear)  put'tu .  v.  table),  y) 

! 

_ _ _ _ _ _ _ 1 

In  the  altered  derivation,  we  applv  the  resolution  rule  to  the  altered  goal  I*  and  this 
axiom,  to  obtain 


2. 

On(su : is,,  ul  and 

Clear{sn  ;  r;.  (.v„  ; :: ) :  u)  and 

if  Ovens,,,  a.  g) 

to  :  . 

then  not  Clearis,, : :: : putiu.  table),  g) 

put) it.  table) 

and  liat'(s„  :put(u.  table).  g| 

=  hat'is,,.  g) 

This  goal  is  the  same  as  goal  3  except  for  the  addition  of  a  third  conjunct. 

We  proceed  by  mimicking  the  remaining  steps  of  the  original  derivation  We 
allow  ourselves  to  interpose  additional  steps  as  necessary  Although  the  induction 
hypothesis  is  now  strong  enough  to  establish  the  two  troublesome  conditions  in  our 
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original  derivation,  additional  deductive  steps  must  be  introduced  to  handle  the  new- 
conjunct  in  our  goal.  These  steps  do  not  affect  the  final  program. 

Ultimately  we  derive  the  goal 


not{s0 ::  clear(a)) 


s„  ;  makecleari  hati  a)): 
put(hatia),  table) 


As  we  have  seen,  we  can  apply  the  resolution  rule  to  our  initial  goal  I  and  this  one. 
to  obtain  the  final  goal 


if  clear) a) 
then  A 

else  makeclearihatia)): 
put(hatia).  table ) 


From  this  goal  we  extract  the  plan 


makecleari  a ) 


if  clear) a) 
then  A 

else  makeclearihatia)); 
put(hatia).  table). 


7.  Discussion 

In  this  section  we  touch  on  some  matters  we  have  not  treated  in  this  paper. 


'  I  COMPARISON  WITH  HUMAN  PLANNING 

The  reader  may  have  been  struck  by  the  complexity  of  the  reasoning  required  by  the 
makeclear  derivation,  as  contrasted  with  the  apparent  simplicity  of  the  original 
planning  problem.  In  fact  the  most  difficult  parts  of  the  proof  are  involved  not  with 
generating  the  plan  itself,  but  with  proving  that  it  meets  the  specified  conditions 
successfully.  We  mrght  speculate  that  human  beings  never  completely  prove  the 
correctness  of  the  plans  they  develop,  relying  instead  on  their  ability  to  draw  plausible 
inferences  and  to  replan  at  any  time  if  trouble  arises.  By  a  process  of  successive 
debugging,  the  hacker  system  of  Sussman  [73]  developed  a  plan  similar  to  our 
makeclear  plan,  but  it  never  demonstrated  the  plan's  correctness.  (It  also  relied  on 
somewhat  higher-level  knowledge.)  While  imprecise  inference  may  be  necessary  for 
planning  applications,  fully  rigorous  theorem  proving  seems  better-suited  to  more 
conventional  program  synthesis. 
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7  2.  THE  PROBLEM  OF  STRATEGIC  CONTROL 

Many  people  believe  that  a  theorem-proving  approach  is  inadequate  for  planning 
because  a  generai-purpose  theorem  prover  will  never  be  able  to  compete  with  a  system 
whose  strategies  are  designed  especially  for  problem  solving.  Although  we  have  not 
yet  dealt  with  the  strategic  question,  we  propose  to  overlay  a  general-purpose  theorem 
prover  with  a  special  strategic  component  for  planning.  For  example,  the  warplan 
system  (Warren  [74])  might  be  regarded  as  a  situational-logic  theorem  prover 
equipped  with  a  strategy  that  enables  it  to  imitate  the  strips  planning  system  (Fikes 
and  Nilsson  [71]).  We  speculate  that,  in  the  same  way.  a  theorem  prover  could 
be  induced  to  mimic  any  dedicated  planning  system,  given  the  requisite  strategic 
component. 
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